From ec4a500bb4f0c642fb4e013387d97aab3c516372 Mon Sep 17 00:00:00 2001 From: james Date: Sun, 25 Oct 2009 15:51:04 +0000 Subject: On server, lock client-provided certs against mid-session TLS renegotiations -- this is similer to how the common name is also locked. git-svn-id: http://svn.openvpn.net/projects/openvpn/branches/BETA21/openvpn@5105 e7ae566f-a301-0410-adde-c780ea21d3b5 --- ssl.h | 21 ++++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) (limited to 'ssl.h') diff --git a/ssl.h b/ssl.h index 7e0bfb5..3bb5fbe 100644 --- a/ssl.h +++ b/ssl.h @@ -302,6 +302,21 @@ */ /* #define MEASURE_TLS_HANDSHAKE_STATS */ +/* + * Keep track of certificate hashes at various depths + */ + +/* Maximum certificate depth we will allow */ +#define MAX_CERT_DEPTH 8 + +struct cert_hash { + unsigned char sha1_hash[SHA_DIGEST_LENGTH]; +}; + +struct cert_hash_set { + struct cert_hash *ch[MAX_CERT_DEPTH]; +}; + /* * Key material, used as source for PRF-based * key expansion. @@ -518,6 +533,8 @@ struct tls_session char *common_name; + struct cert_hash_set *cert_hash_set; + #ifdef ENABLE_PF uint32_t common_name_hashval; #endif @@ -589,10 +606,11 @@ struct tls_multi int n_soft_errors; /* errors due to unrecognized or failed-to-authenticate incoming packets */ /* - * Our locked common name and username (cannot change during the life of this tls_multi object) + * Our locked common name, username, and cert hashes (cannot change during the life of this tls_multi object) */ char *locked_cn; char *locked_username; + struct cert_hash_set *locked_cert_hash_set; #ifdef ENABLE_DEF_AUTH /* @@ -692,6 +710,7 @@ bool tls_rec_payload (struct tls_multi *multi, const char *tls_common_name (const struct tls_multi* multi, const bool null); void tls_set_common_name (struct tls_multi *multi, const char *common_name); void tls_lock_common_name (struct tls_multi *multi); +void tls_lock_cert_hash_set (struct tls_multi *multi); #define TLS_AUTHENTICATION_SUCCEEDED 0 #define TLS_AUTHENTICATION_FAILED 1 -- cgit